Spawns a root shell. Has not been tested for potential remote exploitation vectors.

Discovered by a student that wishes to remain anonymous in the course CTF. This 0day exploit for Backtrack 5 R2 was discovered by a student in the InfoSec Institute Ethical Hacking class, during an evening CTF exercise. The student wishes to remain anonymous, he has contributed a python version of the 0day, a patch that can be applied to wicd, as well as a writeup detailing the discovery and exploitation process. You can find a python version of the exploit and full write up with patch here: http://www.infosecinstitute.com/courses/ethical_hacking_training.html

lorddicranius wrote:Not so much a BackTrack 0day as it is a wicd 0day, isn't it?

Right.

The comments here sum up my thoughts. Did they even notify the dev and give them an opportunity to fix it themselves? This doesn't seem to be setting a good example for the students.

http://threatpost.com/en_us/blogs/critical-flaw-found-security-pros-favorite-backtrack-linux-041112 wrote:1) The title of this vulnerability should probably be "WICD Priv Escalation". As such, it should probably be reported to the WICD developers, as opposed to the BackTrack development team. If you still felt the bug report should be posted to us, the right place to post it would be "BackTrack bugs" (although it is not), or even better, our redmine ticket system.

2) Giving the pre-requisites for the exploit to function would be helpful. In this case, you would need to create a non root user in BackTrack, have a remote attacker access BT with that non privileged account or have anunprivileged shell from a previous attack against another service, and then have that user attempt to connect to a wireless access point (assuming wicd is running as root). This is far from the default configuration in BackTrack, which further negates the title of this vulnerability.

3) Making a mountain out of a molehill for the purpose of promoting a product or service is generally frowned upon by the security industry, especially when one already has a bad reputation.

4) Once this bug is tended to by the WICD developers, we will use their official patch rather than patching our packages using untrusted sources.

"To summarise, we belive that the intentional misrepresentation of this bug report has discredited BackTrack unecessarily in the eyes of those who do not understand the underlying mechanisms of our OS, and also discredited the Infosec Institute in the eyes of those who do."

It seems that ISI have been criticised over how this was handled. I recall there was a lengthy dispute between ISI and PVE about the origin of some course material last year. I haven't been on any of their courses and this is merely an observation ... but is it a coincidence?

ajohnson wrote:I'm pretty sure they wrote the comment in the article I linked to as well. Notice the "us" in the first point.

Good point. I didn't even notice that at first. I think they are burning a lot of bridges with the wrong people...

Ignatius wrote:It seems that ISI have been criticised over how this was handled. I recall there was a lengthy dispute between ISI and PVE about the origin of some course material last year. I haven't been on any of their courses and this is merely an observation ... but is it a coincidence?

I think you are correct. I remember twitter was "on fire" when this happened. Has anyone used ISI training at all? Is this just unfortunate luck for ISI or does their coursework reflect this behavior?

in my opinion OffSec bit back a little too hard. sure they made it look worse than it is, and pointed out backtrack in particular while it is a vulnerability in an application that they use, not developed, but a simple statement that they are indeed vulnerable (which is a completely different discussion also, being a single user/root OS with a privilege escalation) but it is out of there hands because the vendor of the application needs to fix the bug, not them.

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

I would agree with that. But I would also counter that every news agency in the US is guilty of the same thing. But ultimately you guys are correct, ISI needs to take a close look at what happened here and what they can do to learn from it.

EDIT: they have modified the article above with the following statement:

"Update 4/12/12: The wicd team has released a new version that fixes this bug (CVE-2012-2095). The title of this advisory upon release has been, and always has been "wicd Privilege Escalation 0DayTested against Backtrack 5, 5 R2, Arch distributions". When we tweeted and emailed to mailing lists the notifications of this vulnerability, we incorrectly shortened the title and called it "Backtrack 5 R2 priv escalation 0day ", which is misleading and could lead people to believe the bug was actually in Backtrack. The bug has always resided in wicd and not in any Backtrack team written code. We apologize for the confusion to the Backtrack team and any other persons affected by this error. We feel the Backtrack distro is a great piece of software and wish muts and the rest of the team the best. "

Last edited by SephStorm on Fri Apr 13, 2012 6:13 am, edited 1 time in total.

j0rDy wrote:ok, after reading this it seems that it all got a little bit blown out of proportion. Perhaps an honest mistake even?

I think everyone's patience with ISI is still a bit thin after the relatively recent Corelan debacle.

SephStorm wrote:we incorrectly shortened the title and called it "Backtrack 5 R2 priv escalation 0day ", which is misleading and could lead people to believe the bug was actually in Backtrack.

That still seems obviously intentional. You don't accidentally make the same mistake on Twitter, Full Disclosure, here, the Backtrack Forums, etc.

It seems like ISI has a disconnect between the business side and the technical experts. I've worked at organizations like that before, and it's extremely frustrating. I imagine the news of someone discovering a vulnerability while working with Backtracking making it to someone in marketing or upper management, and once that happens, it's out of control and becomes an internet-wide embarrassment. I think it's important to distinguish the business itself from the individual professionals that work there and not disparage them personally. This situation was likely out of their hands (and most probably didn't find out about it until it was tweeted, etc.).

At the same time, a good instructor or (hopefully original) courseware doesn't excuse these types of mistakes. This whole situation was handled horribly. "Backtrack" attention-grabbing aside, they tweeted that they emailed muts a week before they released the news. First, you only give vendors a week to address vulnerabilities? Second, since they apparently new this was nothing specific to Backtrack, why are they emailing muts at all? Did they ever provide any notification to the wicd developers?

I think the worst part of all this is that the student elected to remain anonymous because they rushed this story to the figurative newsstand. That guy or gal got completely screwed. Who wouldn't want a feather in their cap for finding an exploit and writing a POC, even if it is rather trivial? Why not work with the developer, wait for an official patch to be released, and then post the write-up? It's even more ridiculous because the wicd guys could crank this patch out quickly; it's not like they'd be looking at an 18-month ETA from Oracle. Was this really such earth-shattering news that it couldn't wait a couple weeks?

Also, while this particular vulnerability was a non-issue, is this the type of disclosure we can expect from ISI? What if it was actually something serious? It seems a bit ironic to showcase this on their Ethical Hacking Training page.